Carl Livitt wrote: >--/ Product: phpMyAdmin versions <= 2.2.0rc3 >--/ Problem: Arbitrary remote command execution >--/ Severity: High >--/ Author: Carl Livitt (carl AT ititc DOT com) >--/ Date: 31 July 2001 > This isn't so much a problem with phpMyAdmin as it is with PHP in general. I would HIGHLY recommend turning off register_globals in php.ini (which is the default in set in php.ini-dist for php4+). With that option disabled, the only thing that passing in extra parameters can do is create entries in the $HTTP_GET_VARS array, and it's not possible to clobber global script variables. I tested this with my installation of phpMyAdmin 2.1.0 and it is not vulnerable to the attack that you described, due to the settings I mentioned above.
